CVE-2017-15103

HIGH

Heketi < 5.0.1 - Authenticated Remote Command Execution via API Request

Title source: llm
STIX 2.1

Description

A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation.

References (3)

Core 3
Core References
Issue Tracking, Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1510147
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3481
Third Party Advisory x_refsource_confirm
https://access.redhat.com/security/cve/CVE-2017-15103

Scores

CVSS v3 8.8
EPSS 0.0549
EPSS Percentile 91.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20 CWE-78
Status published
Products (4)
heketi/heketi 0 - 5.0.1Go
Heketi/Heketi 5.0
heketi_project/heketi 5.0
redhat/enterprise_linux 7.0
Published Dec 18, 2017
Tracked Since Feb 18, 2026